CVE-2025-11024: Akilli Commerce E-Commerce Website Blind SQL Injection Vulnerability

A blind SQL injection vulnerability exists in Akilli Commerce Software Technologies Ltd. Co.’s E-Commerce Website before version 4.5.001 (CVE-2025-11024). This vulnerability allows an attacker to inject malicious SQL queries without being able to see the results directly. The attacker relies on timing delays or error messages to infer information about the database structure and content. Successful exploitation can lead to unauthorized data access, modification, or deletion. Given the critical CVSS score of 9.8, organizations using affected versions should patch immediately.

Attack Chain

1. An attacker identifies input fields on the E-Commerce Website that interact with the database (e.g., search fields, login forms, product filters).
2. The attacker crafts malicious SQL queries using special characters and SQL syntax (e.g., ‘; WAITFOR DELAY ‘0:0:5’; –’).
3. The crafted SQL queries are injected into the identified input fields.
4. The web application processes the injected SQL query, executing the malicious code against the database.
5. Due to the blind SQL injection nature, the attacker cannot directly see the results of the query.
6. The attacker uses timing-based techniques, such as WAITFOR DELAY in SQL Server or pg_sleep() in PostgreSQL, to infer information based on the response time. A delayed response indicates a successful condition in the injected SQL.
7. The attacker uses boolean-based techniques, such as injecting SQL conditions that return different results based on whether the condition is true or false, to extract data bit by bit.
8. The attacker progressively extracts sensitive information from the database, such as usernames, passwords, customer data, or financial information.

Impact

Successful exploitation of this blind SQL injection vulnerability (CVE-2025-11024) can lead to complete compromise of the database and the E-Commerce Website. Attackers can gain unauthorized access to sensitive customer data, including personal information, credit card details, and order history. This can lead to financial fraud, identity theft, and reputational damage for the affected organization. The CVSS score of 9.8 reflects the high potential for widespread impact.

Recommendation

• Upgrade Akilli Commerce E-Commerce Website to version 4.5.001 or later to patch CVE-2025-11024.
• Deploy the Sigma rule “Detect CVE-2025-11024 Exploitation Attempt via SQL Injection” to monitor for potential exploitation attempts.
• Implement parameterized queries or prepared statements in the application code to prevent SQL injection vulnerabilities.
• Enforce the principle of least privilege for database user accounts.
• Regularly scan web applications for SQL injection vulnerabilities using automated tools and manual penetration testing.